KDF: Deriving Key from Password
Last updated
Was this helpful?
Last updated
Was this helpful?
Now let's explain in details how to securely derive a key from a password and the most popular key derivation functions (KDFs) used in practice: , , and .
[TODO: explain the Linux crypt: SHA-512 key derivation]
We shall discuss the strong and weak sides of the above mentioned KDFs and when to use them.
In cryptography we often use passwords instead of binary keys, because passwords are easier to remember, to write down and can be shorter.
When a certain algorithm needs a key (e.g. for encryption or for digital signing) a key derivation function (password -> key) is needed.
We already noted that using SHA-256(password) as key-derivation is insecure! It is vulnerable to many attacks: brute-forcing, dictionary attacks, rainbow attacks and others, which may reverse the hash in practice and attacker can obtain the password.
, , and are significantly stronger key derivation functions and are designed to survive password guessing (brute force) attacks.
By design secure key derivation functions use salt (random number, which is different for each key derivation) + many iterations (to speed-down eventual password guessing process). This is a process, known as .
To calculate a secure KDF it takes some CPU time to derive the key (e.g. 0.2 sec) + some memory (RAM). Thus deriving the key is "computationally expensive", so password cracking will also be computationally expensive.
When a modern KDF function is used with appropriate config parameters, cracking passwords will be slow (e.g. 5-10 attempts per second, instead of thousands or millions attempts per second).
All of the above mentioned key-derivation algorithms (, , and ) are not patented and royalty-free for public use.
Let's learn more about these modern KDF.